Hi @colin.coutts, I really appreciate you took the time to answer me.
I’ve posted a question in StackOverflow.
I need to be able to assign roles after the user has signed up (or logged in for the very first time) using some social provider. But this needs to happen automatically, as I am actually doing it using Database Connection.
This is the flow using Database connection:
- managementApiClient.Users.CreateAsync(new UserCreateRequest{…}}
- managementApiClient.Users.AssignRolesAsync(userId, new AssignRolesRequest { Roles = [/Customer or Provider depending on a query string parameter/] })
- response = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest{…});
- return response.AccessToken
The access token returned in step 4 contains all the scopes the user requires in order to hit the APIs
Now, using the Social Login flow, even though I am using different URL callbacks to identity Customers from Providers, and even though I am assigning the corresponding roles, they are not included in the access_token (even getting a refreshed token).
So the steps I am following are:
- Create the url using authenticationApiClient.BuildAuthorizationUrl() using AuthorizationResponseType.Code flow including the required scopes (offline_access, openid, scope:Customer or scope:Provider)(Each role has its own url callback)
- Exchange AuthCode for an access_token and refresh_token
- Query
/userinfo
endpoint to get userid
- managementApiClient.Users.AssignRolesAsync(userId, new AssignRolesRequest { Roles = […] })
- AccessTokenResponse response = await authenticationApiClient.GetTokenAsync(new RefreshTokenRequest { …}); //Pay attention here, we are refreshing the token to get the scopes applied
- return response.AccessToken
So, this last AccessToken does not include any of the requested scopes, in consequence, the user cannot use any of our APIs.
The workaround we found is to create a custom rule and assign their roles on the very first login. At this point we cannot distinguish between Customers from Providers.
For now, we only want social logins only for Customers. But this will break as soon as we decide to implement social login for other roles other than Customer.